Dreamweaver CS3/4/5 - Databases and PHP

[DarkStreet]

I hope you are sanitising those inputs.

 

[froot]

I hope you are sanitising those inputs.

I somehow doubt that he is.

 

[Nod]

The basics on PHP and submitting forms to itself: http://www.html-form-guide.com/php-form/php-form-action-self.html

 

[Pixelbender]

Ive read up about sanitizing and try as much as I can, without breaking the script... any help is welcome

 

[Nod]

Ive read up about sanitizing and try as much as I can, without breaking the script... any help is welcome

Look at the link I posted above.

 

[froot]

Look at the link I posted above.

Also stripping php/other code from inputs in forms, etc. (SQl injection FTW).

 

[Pixelbender]

If I understand what you mean, yes.

On the page where you update (ie update.php?id=45) you will have

$query = "UPDATE users SET last_login = '".$date."' WHERE id = '".$_GET['id']."'";

However, on that same page, you want to view the record so you can see what you are editing...
So you will have

$query = "SELECT * FROM users WHERE id = '".$_GET['id']."'";

Oh, and the page where you click on the link:

<a href = "update.php?id=$id">#<?php echo $id;?></a>

But on this page you will have the following query:

$query = "SELECT * FROM users";

Okay, it's starting to make sense now... I'll probably buy a VTC.com cd on MySQL too. I think my next quest will be to learn the ins and outs on how to structure a database, I kinda get myself into a knot every now and then and need to re-do it

 

[Pixelbender]

So - with Nod's link above, I followed the guide and added the htmlentities function and got a url result of

http://localhost/*****/update.php/"><script>alert('xss')</script><foo

instead of a java pop up, so I guess thats got that page sorted - right?

What I did was - in update.php - I added
$editFormAction = htmlentities($_SERVER['PHP_SELF']);


and then in the form action I echoed $editFormAction

 

[Gnome]

If I understand what you mean, yes.

On the page where you update (ie update.php?id=45) you will have

$query = "UPDATE users SET last_login = '".$date."' WHERE id = '".$_GET['id']."'";

However, on that same page, you want to view the record so you can see what you are editing...
So you will have

$query = "SELECT * FROM users WHERE id = '".$_GET['id']."'";

Oh, and the page where you click on the link:

<a href = "update.php?id=$id">#<?php echo $id;?></a>

But on this page you will have the following query:

$query = "SELECT * FROM users";

I haven't used PHP in a while but that code seems vulnerable to an SQL injection attack.

no matter which forums you go to on the net, you always come across Dreamweaver bashes. I use dreamweaver alot, and dont see that much unnecessary code. The unnecessary code that it spits out is easy to pick up and remove. Beats the hell out of spending your whole day coding.

Depends highly on the person. Some people are slow at typing, need to think about their solution, spend lots of time debugging, not sure how to accomplish something, etc. etc. Hand coded solutions can often be quicker and in most cases more maintainable, it all depends on how experienced and adept the developer is.